## Bleichenbacher's CCA2 on RSA

### jshmendes

39 solved
March 15, 2016, 11:28 a.m.

Hello There, Is there an optimal choice for the first s ? I have tried random values (but I am sure there is a better choice) for a few hours, with no luck. Any hint ? Thanks

### anton

Staff
March 15, 2016, 6:47 p.m.

I started with the value s = ceiling(N / 3B) ( B being defined in the paper as 2^(8 * (k-2)) ). This is the same value as is recommended in Step 2.a of the paper.

### ryandiaz6

15 solved
July 14, 2016, 12:13 a.m.

I arrive at a valid solution but it is 14 hex characters, and a bunch of 0's padded on the right. They are not ASCII characters and this doesn't resemble a valid padded message. Any thoughts? I wouldn't think a valid solution would be found by accident.

### anton

Staff
July 14, 2016, 5:51 a.m.

That doesn't sound quite right, you can email us with the specifics if you like. Otherwise I'm not sure there's much I can recommend beside double checking you implemented the algorithm, as described in the paper, correctly

### ryandiaz6

15 solved
July 14, 2016, 10:59 p.m.

I rewrote basically the exact same algorithm on a python 2.7 machine and got the correct answer. The python 3 version seems to give an incorrect answer. In any case I got it, thanks.

### anton

Staff
July 15, 2016, 8:45 p.m.

It may have to do with the fact that python 2 will round down to the nearest integer when you divide two integers. Python 3 will actually give you back a float when you divide two integers (use // in 3 to get the behavior of / in 2). In any case, congrats on solving the problem!

### dottedmag2

41 solved
Dec. 8, 2020, 11:35 p.m.

Is it expected that the oracle returns 0 on the original ciphertext?